Skip to content

ROX-30728: add fallback to internal k8s svc for FM/FS k8s auth#2421

Merged
johannes94 merged 5 commits intomainfrom
jmalsam/iam-config-for-rosa-hcp-e2e
Sep 2, 2025
Merged

ROX-30728: add fallback to internal k8s svc for FM/FS k8s auth#2421
johannes94 merged 5 commits intomainfrom
jmalsam/iam-config-for-rosa-hcp-e2e

Conversation

@johannes94
Copy link
Copy Markdown
Contributor

@johannes94 johannes94 commented Sep 2, 2025
edited
Loading

Description

This PR changes the KubernetesIssuer for FM <> FS auth.

Current behavior:

  • Fetch the openid configuration
  • Fetch the JWKS from the url given in that configuration

New behavior:

  • Fetch the openid configuration
  • Try to fetch the JWKS from the URL given in that config
  • If it fails try kubernetes.default.svc as a Host instead

This is required as a step to use ROSA HCP for e2e test, because infra ROSA HCPs do not publicly expose the JWKS given in the openid configuration, but using the internal svc works.

Checklist (Definition of Done)

  • Unit and integration tests added
  • Added test description under Test manual
  • Documentation added if necessary (i.e. changes to dev setup, test execution, ...)
  • CI and all relevant tests are passing
  • Add the ticket number to the PR title if available, i.e. ROX-12345: ...
  • Discussed security and business related topics privately. Will move any security and business related topics that arise to private communication channel.
  • Add secret to app-interface Vault or Secrets Manager if necessary
  • RDS changes were e2e tested manually
  • Check AWS limits are reasonable for changes provisioning new resources
  • (If applicable) Changes to the dp-terraform Helm values have been reflected in the addon on integration environment

Test manual

TODO: Add manual testing efforts

# To run tests locally run:
make db/teardown db/setup db/migrate
make ocm/setup
make verify lint binary test test/integration

@johannes94 johannes94 requested a review from kovayur September 2, 2025 09:40
@openshift-ci openshift-ci bot added the approved label Sep 2, 2025
kovayur
kovayur reviewed Sep 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kovayur kovayur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change looks good and covers more use cases. One question: Can we remove the override defined in getJwksURI and only rely on the new one?

@johannes94
Copy link
Copy Markdown
Contributor Author

johannes94 commented Sep 2, 2025

@kovayur Applied the suggested changes, thanks.

@johannes94 johannes94 requested a review from kovayur September 2, 2025 13:29
@johannes94 johannes94 changed the title add Fallback to internal k8s svc for FM/FS k8s auth ROX-30728: add fallback to internal k8s svc for FM/FS k8s auth Sep 2, 2025
kovayur
kovayur approved these changes Sep 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kovayur kovayur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@openshift-ci openshift-ci bot added the lgtm label Sep 2, 2025
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Sep 2, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johannes94, kovayur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@johannes94 johannes94 merged commit 3d7b9db into main Sep 2, 2025
15 checks passed
@johannes94 johannes94 deleted the jmalsam/iam-config-for-rosa-hcp-e2e branch September 2, 2025 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kovayur kovayur kovayur approved these changes

Assignees

@kovayur kovayur

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johannes94 @kovayur